This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Ruby on Rails Password Complexity Cheatsheet

Jump to: navigation, search

Enforcing password complexity in a web application is an essential step when preventing password attacks.

If you use devise to implement authentication in a rails app, you could use zxcvbn gem to enforce password complexity.

Install it using:

   gem 'devise'

Configure your user model with it:

    class User < ApplicationRecord
      devise :database_authenticatable, 
        # other devise features, then

And configure the required password complexity:

    # in config/initializers/devise.rb
    Devise.setup do |config|
      # zxcvbn score for devise
      config.min_password_score = 4 # complexity score here.